SOX approach with Engineering 920

  • Our IT SOX effort was a success and now the Engineering department also wants to have procedures and processes as best practices, using SOX as an inspiration.
    As you know, this now focuses on a whole NEW way of assessing security and best practices, applying the same underlying msg from SOX: access, password policy, change management, etc.
    Has anyone been involved in something like this in the past? Esp. with hardware/software industry??
    It’s easy to say what’s in scope for SOX (financial impact and related areas) but am not sure how to approach Security for Engineering, etc…
    Any suggestions, feedback and advise would be greatly appreciated…

  • Hi SOXGAL,
    It sounds that for the moment you have mainly focussed on the 2 control objectives of COSO: getting reliable fS and compliance with law and regulations - based on PCAOB instructions and final rules of SEC. That is what SOXA is all about.
    If you applying COSO control component in other departments and areas other than those directly affecting the financial reporting risks, it means that you will look also to the effectiveness and efficiencies of operation control objective. This implies reviewing all the operational processes and understanding very well the business. This could be the starting point to focus, though the other 2 control objectives should remain.

  • You may want to consider ISO 17799 for them, it would also give a specific target to aim for - certification. In th past I’ve found that makes a project much more effective than simply doing something because it sounds like a good thing, but with no specific objective in mind.

  • Thank you, Angie and CoolCat, for your responses…

  • So, what’s the difference between ISO 17799 and SOX? From what I read about ISO 17799, it has domains and controls, etc…very similar to SOX. I guess it is expanded further to non-financial systems/areas, where as SOX is financial related areas/systems?

Log in to reply